Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Introduction to Linux - A Hands on Guide

This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.

Basically I am trying to configure using IP Tables on CentOS 5.8, a rule to block all IP addresses trying to access port 80/443 but only allow 3 IP address to access.

Can I use 0.0.0.0 in the below rule?

Code:

iptables -A INPUT -s 0.0.0.0 -p tcp --destination-port 80 -j DROP

If the above rule would work, is there a specific order I would need to put the rule to allow access. I only ask because when using something like Squid Proxy you would need to enter rules in a certain order.

If I was to add the 4 rules you suggested wouldn't that mean that all traffic would be blocked to other ports, i.e ssh, mysql etc. So would that mean I would have to add rules afterwards to allow access to these ports/services for all IPs/Specific IP's

If I was to add the 4 rules you suggested wouldn't that mean that all traffic would be blocked to other ports, i.e ssh, mysql etc. So would that mean I would have to add rules afterwards to allow access to these ports/services for all IPs/Specific IP's (snip for brevity)...

This is correct. You want to add a rule to allow each service that you want to make available. I noticed that you used port 3306, MySQL, as an example and wanted to comment on this one. I would recommend that if you can at all avoid it, that you don't make MySQL accessible to the public and this goes for PHPMyAdmin as well. Instead, you will want to restrict it via binding of the interface, such as localhost, and use a firewall wrapper to prevent access from the outside.

Would this be suitable to to prevent access to MySQL unless you were on the internal network which the server is apart of.

BTW I have Apache and MySQL running on one box which is serving a DB-driven website, which is being accessed by 2 external locations and 1 internal location(where the server is located hence the idea of locking down port 80 to 3 ip's)(Ok 2 ip's one 1 ip range )

When you said "Use a firewall wrapper to prevent access from the outside" did you mean using iptables or a hardware device i.e router, or both

Thanks again.

EDIT: I know it looks bad that I have 3306 open but I have strong passwords and only 3 db users. I also have denyhosts and ossec running and users get blocked after certain ammount of failed attempt. My hosts.deny file is HUGE lol.

If they aren't using direct access to MySQL and only accessing indirectly via the web page, there is no need to permit access to port 3306 at all. Based upon your description of "Apache and MySQL running on one box which is serving a DB-driven website" I don't think you need to open port 3306 at all. On the other hand, if for example they are using your centralized SQL server and connecting to it, these rules would work to restrict it. The last one not being necessary if you have a generalized drop all other traffic.

With respect to, "Use a firewall wrapper to prevent access from the outside", I meant it as outside of the desired range which could be anything from outside of that particular server to your LAN subnets. IPtables can be used for this function as it can filter based upon source and destination, but if you have a hardware firewall or router, I would also keep port 3306 closed there too. The more layers the better.

Quote:

I know it looks bad that I have 3306 open but I have strong passwords and only 3 db users. I also have denyhosts and ossec running and users get blocked after certain ammount of failed attempt. My hosts.deny file is HUGE lol.

A very wise precaution, and good thinking which definitely puts you ahead of many!

One thing that occurred to me, that I thought I would mention because it wasn't obvious to me at first is that if you have users connecting to MySQL that the format for the user is user@domain. Normally, when you create a user it defaults to localhost and the domain part goes unnoticed. In a situations where you have connections to the database from another machine you can make use of this by specifying the host name for domain (or rather however that machine identifies itself on the network). This is opposed to using a syntax like 'user'@'%', which would be a wildcard. This would add another layer to the authentication requirements, helping to keep out those who shouldn't be there.